Friday, June 24, 2016

Can Google do Cyber Deterrence?

I want to post a few of my issues with this paper. First of all, it is not a good sign when you start lumping all of CNO together when talking about cyber deterrence, or when a lot of your paper is quotes from various ex-government management types leading to a sort of policy telephone game. And when you listen to Fred Kaplan talk about cyber deterrence as a result of his book, (00:33 here) he says we're only beginning to ask the right questions.

I will disagree with a cogent example: Google.

Google practices strategic cyber deterrence against many nation states using all the tools explained in Joshua Tromp's paper. Once the CEO realized they had been had by the Chinese Government, who were themselves looking for State dissidents, he poured an insane amount of resources into the problem, and to this day Google operates a capability that outclasses most nation states when it comes to deterrence.

We can compare Google's access to information to a nation state's SIGINT arm, but it's obvious that they could, if they so desire, unmask the efforts of any country's intelligence services with a quick look at their massive database of human behavior and location. Likewise, once the hacking was discovered Google pulled out of China, which puts economic and social pressure on the Chinese government. And they increased the cost for activity against them by massively improving their own internal defensive efforts, buying companies who had groundbreaking technology in the sector, and making sure to build out cooperation with US intelligence.

It's also easy to forget how Google is now warning users if they are being targeted by nation states via Phishing attacks or password guessing. This level of attention means that if you target Google and they catch you, you might lose the ability to target people THROUGH Google. How long before your Android phone warns you that you're being followed by state security in Beijing by tracking your phone and theirs?

So to sum up:

Google increased their CND investment

They operated in concert with other state actors to increase social costs of Chinese cyber offensive operations

They maintain a strategic deterrence in their ability to unmask HUMINT efforts by the Chinese

Of course, now that the deterrence engine is in place, they can also operate it at some level against the US Government.

FireEye's recent graph is very interesting - although indicting people is strategically dangerous, it may also work.

Ok, so back to Joshua's paper. It is full of stuff like this:

It all SOUNDS legit, but you can't make policy or strategic decisions on this kind of "data".

Just to take one example from that paragraph, "The nations that are the most powerful are actually the most vulnerable to cyber-attacks". This is not really true. While yes, it is hard to affect Afghanistan's government via cyber, having a full-take of their cell phone network lets you control it as well as anything else could. And would you rather go up against Google or your local dentist when it comes to cyber war?

Basically, repeating all the "things people know" about the Cyber domain, and then trying to draw deterrence out of that grand picture does not provide for a way of really looking at the problem. it may be that without clearance, it is impossible to draw an accurate picture using metrics of how well deterrence works in the field, but even if it is possible, we would need a more focused analysis of the problem than is presented in the paper.

2 comments:

I would like to thank Mr. Dave Aitel for his critique of my paper. Journals such as Small Wars Journal exist to provoke dialogue among their informed readership. Aitel concludes that my research simply repeated "all the things people know" about the cyber domain but did not "provide a way of really looking at the problem." I, and the rest of the community who work in the challenging area of cyber conflict, invite Aitel to help fill this knowledge gap.

I felt it necessary to respond to Aitel's critique. His first issue was the inclusion of CNE, CNA, and CND under CNO. I am probably missing his point here but this is exactly how the environment is defined by the U.S. Department of Defense as cited in my paper. Aitel may find it more convenient to focus on one element (CNE in his Google reference) but the U.S. government must consider the whole realm of cyber operations. Deterrence of an "attack" (which is hard to define as explained in my paper) is important, as is deterring espionage. Certainly network defense plays a role in deterrence as well. Aitel references Google's efforts to counteract Chinese cyber espionage. Does he assume Google is not also interested in preventing destructive attacks (CNA)? Also, in an era where the media and even many politicians incorrectly throw around the term "cyber-attack," I believe it is valuable to explain the vast differences in types of cyber operations and the difficulties in deterring these different activities.

Aitel does make some interesting statements and may have professional experience with which to back up his claims. Unfortunately, without citations of peer-reviewed or expert sources these conclusions do not meet the standard necessary for the academic conditions under which I conducted my research (which was summarized in this Small Wars Journal piece.)

For example, "Google . . . could, if they so desire, unmask the efforts of any country's intelligence services." This statement, if true, certainly must keep Admiral Rogers and the rest of the Intelligence Community awake at night. A reference here would be valuable. Also, Aitel argues with Amy Zegart's statement that America is more at risk of a cyber attack because it is more dependent on its computer networks then are other nations or groups. . He references Afghanistan and says taking over their cell phone networks would result in control over their government in a conflict. Aitel misses Zegart's, and my, point here. Although an enemy nation or terrorist group may use cell phones to communicate, their weapon systems are not as dependent on computer networks as are America's. Consider the use of low-tech, non-networked, pressure plate triggered EFP's which proved to be incredibly destructive against U.S. Forces. And the citizens of a country like Afghanistan are not as dependent on computer networks as are Americans. Taking down the internet in Afghanistan would not disrupt the country to the same extent it would the US where we depend on networked technology for daily living. Perhaps Aitel has some research he could cite which counter's Zegart's position?

Finally, although Aitel started his critique with concern over my consideration of all of CNO in looking at cyber deterrence, he is also guilty of doing the same. Aitel mentions Google's efforts to deter CNE by increasing their CND. So he included two out of the three elements of CNO. And as stated earlier, one must assume Google is also very interested in ensuring it's networks are not affected by CNA. Deterrence of nefarious cyber activities must include the whole of CNO.